On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: > Yes the GPG signature of the tag commit is checked. However you can > attack the git metadata and set a tag to a different commit. If this > commit is signed, but at an older stage which is vulnearable, we have an > issue. Just one example. So we should always also secure the transport > layer. > https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias >
The sign includes the hash. You would essentially have to trick Lennart into replacing the tag to a different commit, and sign the tag. Creating a vulnerable but verified source for the PKGBUILD. At this point i think we have bigger problems then whatever the PKGBUILD is doing... -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
